Broadcom has patched three actively exploited zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion, found by Microsoft’s Menace Intelligence Middle. The issues, which had been being leveraged in real-world assaults on the time of discovery, may enable attackers with administrator or root entry to a digital machine to breach the underlying hypervisor, doubtlessly exposing all related VMs and delicate information.
How do these vulnerabilities work?
If a menace actor good points administrative entry to a digital machine’s visitor OS, they will escalate privileges and break into the hypervisor. As soon as inside, they may manipulate or entry different digital machines working on the identical hypervisor, posing a big safety danger.
The three vulnerabilities are:
- CVE-2025-22224: A Time-of-Examine Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation which may result in an out-of-bounds write situation if an attacker already has admin privileges.
- CVE-2025-22225: An arbitrary write vulnerability in VMware ESXi.
- CVE-2025-22226: An info disclosure vulnerability in VMware ESXi, Workstation, and Fusion that may very well be used to leak reminiscence.
To remediate the vulnerabilities, prospects ought to apply the patches present in Broadcom’s notification. All variations of VMware ESX, VMware vSphere, VMware Cloud Basis, or VMware Telco Cloud Platform are affected, besides these with the latest replace.
SEE: Google Chrome’s change to Manifest V3 continues to interrupt advert blockers corresponding to uBlock Origin.
Which merchandise are affected?
The next merchandise are affected by all three CVEs (through Rapid7):
- Broadcom VMware ESXi 7.0 and eight.0.
- Broadcom VMware Cloud Basis 4.5.x and 5.x.
- Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and a pair of.x.
- Broadcom VMware Telco Cloud Infrastructure 3.x and a pair of.x.
The next product is susceptible to CVE-2025-22224 and CVE-2025-22226 particularly:
- Broadcom VMware Workstation 17.x.
The next product is susceptible to CVE-2025-22226 particularly:
- Broadcom VMware Fusion 13.x.
VMware’s Dwell Patch characteristic won’t apply the patches mechanically on this case.
VMware Cloud Basis Operations, Automation, Aria Suite, and VMware NSX usually are not affected.
Final 12 months, VMware ESXi servers had been hit by a double-extortion ransomware variant, with the menace actors impersonating an actual group.